According to the annual Commonwealth cyber security posture report, only 35 per cent of federal government entities reported at least 50 per cent of the cyber security incidents they observed in the 2024–25 financial year.
While this represents an increase from 32 per cent in the previous fiscal year, the reporting rate remains low despite the ASD responding to 408 government agency cyber incidents during the year, a third of all cyber security events the agency handled across the country.
“The percentage of entities reporting cyber security incidents to ASD remained low,” the ASD said.
“Any degradation in the quantity or quality of information reported to ASD reduces our capacity to support the entity to mitigate the impacts of cyber compromise.”
Furthermore, this problem continues despite 62 per cent of entities reporting that they inform senior executives of at least 80 per cent of cyber incidents.
In 2025, the ASD notified government agencies of malicious cyber activity it had detected through its monitoring capabilities 233 times.
While it is unclear why these agencies are reporting so infrequently, under the Protective Security Policy Framework (PSPF), Commonwealth entities that are non-corporate are required to report significant or externally reportable incidents to the ASD.
However, it could be that the agencies are noting a large number of low-impact incidents they don’t feel the need to report.
Daniel Croft